Security Bits Logo

Security Bits – USB Restricted Mode, Apple’s Focus on Security in OS Announcements

Followups

  • Telegram have now been able to update their apps on Apple’s non-Russian app stores — nakedsecurity.sophos.com/…
  • The VPNFilter malware/botnet story continues to evolve as security researchers find more router makes and model are affected. Additions to the list include routers by Asus, D-Link, Huawei & ZTE — www.zdnet.com/…, nakedsecurity.sophos.com/… & www.imore.com/…
  • 🇺🇸 As anticipated, the vote to restore net neutrality that passed the Senate recently was not even taken up by the House of Representatives, so they didn’t even get a change to vote on it, and President Trump didn’t get a chance to veto it. Net Neutrality has officially ended in the US — nakedsecurity.sophos.com/… & www.macobserver.com/…

Security Medium 1 — USB Restricted Mode

It wasn’t mentioned during the recent WWDC keynote, but some recent beta versions of iOS have included a new security feature named USB Restricted Mode. The concept is simple, if an iOS device has not been unlocked recently, then its USB interface will behave as if it were connected via a charge-only USB cable. That is to say, the power pins will function normally, but the data pins will play dead.

One of the mechanisms attackers use to try break into a lost, stolen, or ceased iOS device is to connect it to a computer over USB, and then attack the phone via that port. If the OS on the device is out of date that may well be trivially easy to do, just use a known-patched exploit against it!

This is also the mechanism used by grey-hat companies like GreyShift, makers of the GreyKey iPhone cracking device, to try break into phones on behalf of law enforcement agencies.

This feature is still in beta, so the specifics are still subject to change. Indeed, until this week Apple had not even officially acknowledged the existence of the probably future feature.

Why has this feature been in the news all week then?

One reason is that the feature is included in the first iOS 12 beta. Another is that Apple have now acknowledged the feature’s existence. But, I think what really set the cat among the pigeons was an article by the New York Times (NYT) that spun the feature as an attempt by Apple to thwart law enforcement. This is of course totally wrong-headed, but it does make for some great click-bait! It’s in response to the NYT’s reporting that Apple have acknowledged the feature’s existence.

The grey-hat companies also helped fan the news flames by claiming they have already found a workaround for the feature. We have nothing to go on but their word for that, so make if it what you will.

We’ll probably re-visit this story when iOS 12 launches, by which time we’ll probably know exactly how the feature works, and what its implications are.

Links

Security Medium 2 — Apple Focuses on Security in OS Announcements

As usual, Apple previewed their major OS updates at their annual World Wide Developers Conference (WWDC). MacOS 10.14 Mojave and iOS 12 will be released ‘in the fall’, but the first beta versions are already in the hands of developers and journalists.

Something that was very noticeable during the keynote presentation was a strong focus on security for both the Mac and iOS. I don’t want to go into an exhaustive list, so these are just some highlights that caught my eye.

Improved Privacy Protections in Safari

The next versions of Safari will improve your privacy in two very important ways.

Firstly, Apple are updating their AI-driven privacy protection to block more kinds of trackers, including things like Facebook like buttons. The exact details of how this will work are not clear yet, but the intention is, and I think that makes it worthy of special mention.

Secondly, Apple is striking a blow against browser fingerprinting. We’re well aware of overt tracking technologies like cookies — they preserve state between web page loads by design. But there is a second kind of tracking that’s less well known, but much more insidious — browser fingerprinting.

The idea is very simple — each time a browser sends a request to a website it includes some headers in that request. These headers contain information the server may find useful when formulating its response. The information in these headers all looks innocuous — your browser version, your OS, a list of acceptable MIME types (plugins like Flash and Silverlight will add themselves to this list), an ordered list of preferred locals (e.g. EN-GB followed by EN-US), a list of available fonts, your screen resolution, and so on. Individually, none of this information identifies you uniquely in any way.

How many million people are using the same browser as you? How many million use the same OS? How many million web surfers prefer British English over US English? The thing is, if you get enough pieces of data that don’t identify you very well, and put them all together, you soon start to get a very unique fingerprint — how many people have the identical browser version as you, and the identical OS version, and the identical language preferences, and accept the same list of MIME types, and have exactly the same list of fonts installed, and have the same screen resolution, and so on.

Advertisers and trackers have found the answer to be very few! In other words, in aggregate, all these little signals soon add up to an almost unique fingerprint that can be used to re-connect browsing sessions even when private browsing is enabled, or when cookies get deleted, or even to connect events on completely separate websites together.

So what has Apple done? Simple, they’ve removed the headers that weren’t really needed, and standardised others. For example, instead of returning the list of all installed fonts, Safari will only return the default fonts that come with the OS — suddenly all Macs look the same as each other when it comes to fonts, hence neutralising the signal from that header. By removing the variability from as many headers as possible, Apple have turned the entropy right down, effectively making more and more Safari users indistinguishable from each other.

Better Password Management in iOS

In iOS 11 Apple experimented with using FaceID on iPhone X to protect the iCloud keychain.
Before Safari on an iPhone X auto-fills a password, it uses FaceID to make sure it’s really you using the phone. In iOS 12, that behaviour is expanded to include TouchID, so users of other iOS devices will also have to prove their identity before passwords auto-fill.

Another big password-related change is the addition of APIs to allow 3rd-party password manager integrate with password dialogues, making them equally as easy to use as the build-in keychain.

A Better Sandbox on the Mac

On the Mac side, Apple have put a lot of effort into improving the list of available entitlements apps can request, making it possible for ever more powerful apps to be sandboxed, and hence, to appear in the Mac app store. To underline the level of improvement two of the highest profile apps driven out of the MacApp Store by the sandboxing requirement, BBEdit and Transmit, are returning!

As well as improving the sandbox for app developers, Apple have also added some user-facing privacy enhancements. More OS-level APIs will now protect your devices and data with explicit opt-in dialogues. For example, when ever an app requests microphone or camera access, the OS will pop up a dialogue asking your permission before granting the requested access.

And Much Much More ….

Notable Security Updates

Notable News

  • Intel released a security advisory announcing the Lazy FP State Restore vulnerability. This bug affects their entire Core line of CPUs, but thankfully it’s difficult to exploit, especially remotely, and can be entirely mitigated by OSes without the need for any microcode updates. OS vendors have begun the process of rolling out fixes — www.bleepingcomputer.com/…
  • Security researchers have responsibly disclosed the details of a bug in many archiving apps and libraries that they have named ZIP Slip. The bug allows maliciously crafted ZIP files to replace system files when vulnerable apps/libraries try to un-zip them. Because the bug was responsibly disclosed, most of the affected apps have been updated, so for the most part, all regular users have to do is keep their software up to date — nakedsecurity.sophos.com/…
  • Google add Insider Attack Resistance, basically hardware security protections similar to Apple’s Secure Enclave, to their Pixel 2 phones — android-developers.googleblog.com/…
  • Apple bans developers from creating, selling user Contacts databases — arstechnica.com
  • Security researchers have reported that through a combination of poor programming practices and arguably insufficiently clear documentation, many 3rd-party Mac security apps (including VirusTotal & Little Snitch) failed to properly verify digital signatures on apps. Updates are being released, and Apple have clarified their API documentation — arstechnica.com
  • Responding to pressure from employees, Google has pledged not to use AI to create weapons of war, facilitate illegal surveillance, or cause ‘overall harm’. The new rules do not go so far as to rule out working with military or intelligence organisations — nakedsecurity.sophos.com/…
  • 🇪🇺 Some major internet pioneers, including Tim Berners Lee & Jimmy Wales have gotten together to send an open letter to the European Parliament, urging them to vote down the current proposal for article 13 of the up-coming new EU-wide law on copyright. Their argument, the law is too vague, and it appears to mandate problematic recognition technologies like those used by YouTube for all content uploaded by Europeans to any large internet site — nakedsecurity.sophos.com/…

Suggested Reading

Palate Cleansers

Leave a Reply

Your email address will not be published.

Scroll to top